Can enterprises place too much emphasis on security regulatory compliance?

Learn why companies that place too much emphasis on security regulatory compliance run the risk of neglecting a full-orbed structured assessment methodology that takes business impact into consideration. Discover how you can help your clients to avoid this mistake.

Can enterprises place too much emphasis on security regulatory compliance?

Absolutely.

Security regulatory compliance is actually the natural by-product of a well-executed risk management strategy. It's the floor and not the ceiling when it comes to protecting the most important assets of an enterprise. Yet it has become abused and over-used as the measure of the security and fidelity of the information assets in many enterprises today.

Download this free guide

Could Securing Your Channel Business Be Easier? We Can Help.

Download our latest guide to the top strategies solution providers can leverage for starting up and securing a cloud practice, successful approaches to selling and marketing cloud, and why it is urgent for partners to transition now.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

As I mentioned in my recent posting regarding PCI-DSS, security regulatory compliance does not equal security. Further, security does not always equal effective risk management, especially in the absence of a structured assessment methodology that takes business impact into consideration.

Instead of managing risk and assessing business impact within this context, compliance has become the regulated solution for force-feeding transparency and plugging the gap between the two approaches. This has happened for many reasons -- some good, some bad.

The reality is that most enterprises see security regulatory compliance as a necessary evil, as well as a way of securing budget in hard times, but that doesn't necessarily mean that compliance contributes to the things that matter most. It simply means that the low-hanging fruit of due care and due diligence have been attended to.

In today's threat and vulnerability-centric security landscape, security regulatory compliance has unfortunately become the metric against which the efficacy and effectiveness of information security programs are measured. This is because managing risk is hard work. Compliance, if you believe the vendor hype, is only a point-and-click or a single product deployment away.

By setting the bar at compliance, enterprises can be lulled into a false sense of "security." As I mentioned in my PCI-DSS post, Hannaford Brothers was compliant with PCI-DSS, and yet they suffered a horrific breach. Time will tell whether the gaps associated with their security regulatory compliance efforts, versus managing the things that matter most, were contributors to their failings.

There's little excuse for not being compliant and there's even less excuse for not managing risk.

The availability of mature risk assessment frameworks (such as OCTAVE and FAIR) combined with the maturity of IT and governance frameworks (such as COBIT and ITIL) provide an excellent foundation upon which to manage risk and measure and maintain compliance without sacrificing at the altar of possibility.

By now, given the rampant escalation in dramatic data breaches, security integrators and the customers they serve recognize that hope – and the compliance that sometimes shores it up – is not a strategy.

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy